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Abstract 

Acquisition  data  underpin  the  management  and  oversight  of  the  U.S.  defense  acquisition 
portfolio.  However,  balancing  security  and  transparency  has  been  an  ongoing  challenge. 
Some  acquisition  professionals  are  not  getting  the  data  they  need  to  perform  their  assigned 
duties  or  are  not  getting  the  data  and  information  in  an  efficient  manner.  To  help  guide  the 
Office  of  the  Secretary  of  Defense  (OSD)  in  addressing  these  problems,  the  RAND 
Corporation  identified  access  problems  at  the  OSD  level — including  those  organizations  that 
require  access  to  data  and  information  to  support  the  OSD,  such  as  analytic  support  federally 
funded  research  and  development  centers  and  direct  support  contractors — and  evaluated  the 
role  of  policy  in  determining  access.  The  study  also  involved  a  limited  review  of  how  data  are 
shared  between  the  OSD  and  military  departments.  Issues  with  access  to  acquisition  data 
and  information  in  the  Department  of  Defense  (DoD)  finds  that  the  process  for  gaining  access 
to  data  is  inefficient  and  may  not  provide  access  to  the  best  data  to  support  analysis,  and  that 
OSD  analytic  groups  and  support  contractors  face  particular  challenges  in  gaining  access  to 
data.  Given  the  inherent  complexity  in  securing  data  and  sharing  data,  any  solutions  to 
problems  associated  with  data  sharing  must  be  well  thought  out  to  avoid  the  multitude  of 
unintended  consequences  that  could  arise. 

Introduction 

Acquisition  data  are  vast  and  include  such  information  as  the  cost  of  weapon 
systems  (both  procurement  and  operations),  technical  performance,  contracts  and 
contractor  performance,  and  program  decision  memoranda.  These  data  are  critical  to  the 
management  and  oversight  of  the  $1 .5  trillion  portfolio  of  major  weapon  programs  by  the 
Office  of  the  Under  Secretary  of  Defense  for  Acquisition,  Technology  and  Logistics 
(OUSD[AT&Lj;  GAO,  2014,  p.  3).  Data  collection  and  analysis  enable  the  Department  of 
Defense  (DoD)  to  track  acquisition  program  and  system  performance  and  ensure  that 
progress  is  being  made  toward  such  institutional  goals  as  achieving  efficiency  in  defense 
acquisition  and  delivering  weapon  systems  to  the  field  on  time  and  on  budget. 

Many  organizations  or  groups  need  access  to  this  information  for  a  variety  of 
purposes  (e.g.,  management,  oversight,  analysis,  and  administrative).  These  organizations 
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include  various  offices  of  the  DoD,  federally  funded  research  and  development  centers 
(FFRDCs),  university-affiliated  research  centers  (UARCs),  and  a  range  of  support 
contractors.  For  example,  an  FFRDC  may  need  cost  and  schedule  information  to  determine 
whether  a  weapon  system  was  delivered  on  time  and  within  budget.  Or  a  support  contractor 
may  be  responsible  for  managing  a  centralized  information  system  for  the  DoD  that  contains 
information  about  specific  procurement  programs.  Note  that  that  situation  does  not  include 
classified  data,  which  is  not  a  topic  of  this  report.1 

However,  these  organizations  may  have  difficulty  getting  access  to  these  data.  Some 
examples  of  the  types  of  issues  identified  by  individuals  within  DoD  offices  include  the 
following: 

•  “It  took  me  three  months,  multiple  e-mails,  and  phone  calls  to  get  a  one-hour 
meeting  with  five  SES  [DoD  senior  executive  service-level  employees]  to 
view  data  that  might  be  proprietary.” 

•  “Each  access  account  I  create  is  like  five  touch  points  between  an  email, 
phone  call,  their  POC,  certificate  handling,  vetting.  It’s  a  lot  of  work.” 

•  “If  there  are  dozens  of  support  contractors  and  dozens  of  prime  contractors 
and  I  have  to  get  an  NDA  [nondisclosure  agreement]  for  each  support 
contractor  and  prime  contractor  combination,  it’s  a  lot  of  work.” 

•  Examples  of  the  types  of  issues  identified  by  FFRDC,  UARC,  and  direct 
support  contractors  include 

•  “The  sponsor  has  to  have  access,  then  request  a  download  of  several 
documents  I  need,  then  transfer  the  data  to  me.” 

•  “I  couldn’t  get  access  because  I  didn’t  have  a  .mil  e-mail  address.” 

In  some  cases,  the  information  may  be  the  intellectual  property  of  a  commercial  firm. 
Sometimes  such  information  is  designated  proprietary.  This  information  requires  the 
permission  of  the  firm  that  owns  the  information  to  use  it.  The  process  of  getting  permission 
to  use  the  information  can  be  time-consuming,  may  never  yield  permission,  or  is  simply  too 
onerous.  An  example  of  the  third  possibility  is  a  database  that  has  proprietary  information 
from  many  firms,  requiring  support  contractors  to  sign  NDAs  with  each  firm,  which  could 
number  many  dozens  and  take  a  very  long  time. 

The  Office  of  the  Secretary  of  Defense  (OSD)  asked  the  RAND  National  Defense 
Research  Institute  to  identify  the  problems  and  challenges  associated  with  sharing 
unclassified  information  and  to  investigate  the  role  of  policies  and  practices  with  such 
sharing  in  the  first  phase  of  two  analyses  on  acquisition  data  (Riposo  et  al.,  2015).  In  the 
second  phase,  RAND  was  asked  to  evaluate  how  marking  and  labeling  Controlled 
Unclassified  Information  (CUI)  procedures,  practices,  and  security  policy  affect  access  to 
acquisition  oversight  data  (McKernan  et  al.,  2016).  We  will  present  the  approaches,  findings, 
and  options  for  improvement  for  both  analyses. 


1  Classified  information  is  any  information  designated  by  the  U.S.  government  for  restricted 
dissemination  or  distribution.  Information  so  designated  falls  into  various  categories  depending  on  the 
degree  of  harm  its  unauthorized  release  may  cause.  This  report  does  not  deal  with  classified 
information. 
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Phase  1  Approach 

We  pursued  a  three-pronged  approach  for  the  first  phase  of  this  research  with  the 
objective  of  defining  and  evaluating  any  data-sharing  problems.  The  first  part  of  the 
approach  was  a  policy  review.  We  began  by  reviewing  DoD  directives,  instructions, 
manuals,  and  guides,  along  with  executive  orders,  legislation,  and  regulations  concerning 
information  management.  The  objective  of  the  review  was  to  develop  a  framework  for 
understanding  what  governs  information  sharing  in  DoD  acquisition.  As  part  of  this  search, 
we  also  looked  at  a  limited  number  of  key  federal  policies  that  might  affect  data  sharing 
within  the  DoD. 

We  then  met  with  individuals  within  OSD  to  discuss  information  sharing,  which  is  the 
second  part  of  our  approach.  We  used  these  discussions  to  help  identify  information-sharing 
practices  and  issues  associated  with  data  access  and  releasability.  The  discussions  also 
helped  us  identify  relevant  policies  and  practices.  We  selected  a  sample  of  offices  within 
OUSD(AT&L)  to  reflect  a  variety  of  roles  in  the  acquisition  process.  We  spoke  with  data 
owners,  maintainers,  users,  and  individuals  involved  with  the  governance  of  information.  We 
categorized  the  offices  represented  in  the  sample  by  their  missions  and  roles.  This  step  led 
to  three  main  categories  of  OSD  offices: 

•  functional  and  subject-matter  experts 

•  Overarching  Integrated  Project  Team/Defense  Acquisition  Board  (OIPT/DAB) 
review  offices 

•  analysis  offices 

Within  the  OSD,  the  functional  and  subject-matter  experts  mainly  work  within  a 
specialty  (e.g.,  testing,  cost,  systems  engineering,  contracts,  earned  value).  Those  in  the 
OIPT  offices  are  primarily  responsible  for  direct  interaction  with  acquisition  programs  to 
review  portfolio  status  and  program  readiness  as  programs  move  through  the  acquisition 
process.  The  analysis  offices  conduct  a  variety  of  crosscutting  analyses  in  defense 
acquisition.  The  offices  that  fall  into  these  categories  appear  in  Table  1 .  We  also  interviewed 
service-level  acquisition  personnel  to  determine  the  role  that  the  services  play  in  DoD  data 
sharing. 

Our  goal  for  the  interviews  was  to  collect  the  following  information  regarding 
interviewees’  data  sharing  and  practices: 

•  role  in  the  acquisition  process 

•  data  needed  to  perform  one’s  job 

•  how  data  are  handled,  obtained,  and  provided  to  others 

•  data  access  or  release  problems 

•  data-sharing  recommendations 
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Table  1.  Offices  With  Roles  in  the  Acquisition  Process 


Office  Category 


Offices 


Functional  and  Subject-Matter  Experts *  *  OUSD(AT&L)  Performance  Assessments  and  Root  Cause  Analyses 

(PARCA)  Earned  Value  Management  (EVM) 

-  OS  D  Cost  Assessment  and  Progra  m  Eval  u  ation  (CAPE) 

■  OUSD(AT&L)  Human  Capital  Initiative  (HCI) 

■  OUSD(AT&L)  Defense  Procurement  and  Acguisrtion  Policy  (DPAP) 

-  OUSD(AT&L)  Developmental  Test  and  Evaluation  (DT> 

-  OU$D(AT&L)  Systems  Engineering  ($£) 


OIPT/DAB  Review  Offices  *  OUSD(AT&L)  Deputy  Assistant  Secretary  of  Defense  (DASO)  Tactical 

Warfare  Systems  (TWS) 

■  OUSD{AT&L)  DASD  Space,  Strategic  and  Intelligence  Systems  (SSI) 
-  OU5D(A!&L)  DASD  Command,  Control,  Communication,  Cyber  and 
Business  Systems  (C3C8) 


Analysis  Offices  *  OU3D{AT&L)  Acquisition  Resources  and  Analysis  (ARA) 

*  OUSD{AT&L)  Defense  Acquisition  University  (DAU) 

-  DPAP 

-  FFRDCs 

«  OUSD{AT&L)  PARCA  (outside  EVM) 


The  final  part  of  our  three-pronged  approach  for  phase  1  involved  conducting  two 
case  studies  to  illuminate  key  issues  and  challenges  associated  with  data  access.  Both 
reflect  (or  embody)  the  perception  of  several  key  data  access  issues.  The  first  case  study 
examines  the  use  of  proprietary  information  (PROPIN)  in  acquisition,  with  a  particular  focus 
on  earned  value  data.  The  second  looks  at  the  various  central  data  repositories  that  OSD 
maintains  and  uses.  More  specifically,  the  focus  was  on  the  background,  benefits,  and 
problems  associated  with  these  repositories.  During  our  introductory  interviews,  we  heard 
about  problems  with  using,  managing,  and  accessing  PROPIN  due  to  the  need  to  involve 
direct  support  contractors  in  the  collection  and  analysis  of  these  data.  Such  relationships 
require  the  use  of  NDAs  to  help  prime  contractors  and  subcontractors  protect  their 
information.  Both  case  studies  are  informed  by  the  interview  results  and  policy  analysis. 

Phase  2  Approach 

During  the  second  phase  of  this  analysis  on  acquisition  data,  we  evaluated  how 
marking  and  labeling  CUI  procedures,  practices,  and  security  policy  affect  access  to 
acquisition  oversight  data.  Our  work  for  this  phase  of  research  on  managing  and  handling 
acquisition  data  within  the  DoD  included  policy  analysis,  structured  discussions  with 
government  personnel,  and  a  literature  review  to  further  understand  and  evaluate 
proprietary  information  sharing,  the  origins  of  commonly  used  acquisition  labels,  and  how 
security  policy  affects  the  management  of  two  acquisition  information  management  systems 
within  the  OUSD(AT&L).  We  executed  our  work  through  three  main  tasks. 

•  Identify  and  evaluate  options  to  improve  nongovernment  employee 
access  to  proprietary  information:  We  continued  to  explore  the  source  of 
the  problems  identified  in  our  earlier  research  with  sharing  proprietary  data 
among  the  government,  contractor-originators  who  are  providing  the 
acquisition  information,  and  other  nongovernment  entities  such  as  federally 
funded  research  and  development  centers  (FFRDCs),  Systems  Engineering 
and  Technical  Assistance  (SETA)  support,  and  information  technology  (IT) 
support  contractors  who  are  supporting  the  government.  We  developed  a 
range  of  options  for  improving  direct  access  for  nongovernment  employees  to 
proprietary  data  and  documented  the  options  that  the  OUSD(AT&L)  is 
pursuing  to  improve  sharing.  We  characterized  the  options  and  their 
advantages  and  disadvantages  and  assessed  implementation  strategies  for 
them. 
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•  Characterize  commonly  used  data  markings  that  support  acquisition 
decision-making  and  oversight  and  identify  the  origins  of  those 
markings:  We  focused  on  CUI  labels  that  are  commonly  used  by  DoD 
government  and  nongovernment  employees  in  the  acquisition  process.  We 
identified  their  basis  in  law  and  policy  and  determined  whether  the  policy 
prescriptions  they  provide  for  data  labeling  and  access  are  clear  and 
consistent  and  accord  with  OUSD(AT&L)  goals.  OUSD(AT&L)  decision¬ 
making  and  oversight  is  intimately  connected  to  acquisition  data  access, 
research,  and  analysis.  Whether  these  data  are  available  for  timely, 
actionable  decision-making  partially  depends  on  the  type  of  data,  the  data 
control  system,  and  the  ability  of  data  users  to  properly  identify  and  label 
data,  and  if  necessary,  challenge  improperly  marked  data. 

•  Describe  how  DoD  security  policies,  processes,  and  procedures  affect 
OUSD(AT&L)’s  ability  to  provide  efficient  and  secure  access  to 
acquisition  data:  This  task  involved  multiple  steps.  First,  we  collected 
policies  that  affect  information  security  and  defense  acquisition  data  for  two 
information  systems  within  the  OUSD(AT&L) — Acquisition  Information 
Repository  (AIR)  and  the  Defense  Acquisition  Management  Information 
Retrieval  (DAMIR)  information  systems.  Second,  we  described  the  security 
policy  environment  for  managing  these  information  systems  (e.g.,  who  owns 
these  policies  and  what  topics  they  discuss).  Third,  we  described  and 
summarized  the  information  security  policy  and  identified  how  particular 
policies  affect  the  OUSD(AT&L)’s  ability  to  provide  access  to  acquisition  data 
and  manage  acquisition  data. 

Phase  1  Findings  and  Recommendations 

•  The  process  for  gaining  access  to  data  is  inefficient  and  may  not 
provide  access  to  the  best  data  to  support  analysis.  Government 
personnel  and  those  supporting  the  government  sometimes  do  not  get  their 
first  choice  of  data,  and  even  that  data  may  take  a  long  time  to  receive.  They 
may  be  forced  to  use  alternative  sources,  which  often  have  data  of  lower 
quality,  which  might  be  dated  and  thus  less  accurate,  or  be  subject  to  a 
number  of  caveats.  While  the  consequences  of  these  limitations  are 
undocumented  and  difficult  to  assess  and  quantify,  the  results  of  these 
analyses  can  be  inferior,  incomplete,  or  misleading. 

•  Two  groups  of  people  face  particular  challenges  in  gaining  access  to 
data:  OSD  analytic  groups  and  support  contractors.  OSD  analytic  groups 
often  do  not  have  access  to  the  originators  of  the  data,  which  precludes  them 
from  going  to  the  primary  source.  They  also  tend  to  have  poor  visibility  of  all 
viable  data  sources,  which  encourages  inefficient  data-seeking  practices. 
Direct  support  contractors  have  problems  similar  to  OSD  analysts,  but  these 
problems  can  be  compounded  by  laws,  regulations,  and  policy  that  restrict 
access  to  certain  types  of  information  (especially  nontechnical  proprietary 
data  that  originate  and  are  labeled  outside  the  government),  which  introduces 
extreme  inefficiencies.  Support  contractors  require  special  permissions  to 
view  nontechnical  proprietary  data. 

•  Difficulty  in  gaining  access  occurs  for  several  reasons: 

o  Data  access  policy  is  highly  decentralized,  not  well  known,  and 
subject  to  a  wide  range  of  interpretation. 
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o  The  markings  for  unclassified  information  play  a  significant  role  in 
access.  The  owner  or  creator  of  a  document  determines  what 
protections  or  markings  are  required.  However,  marking  criteria  are 
not  always  clear  or  consistently  applied.  In  fact,  management  and 
handling  procedures  for  many  commonly  used  markings  are  not 
clearly  described  anywhere.  Once  marked,  getting  the  labels  changed 
can  be  difficult.  When  information  is  not  marked,  the  burden  of 
handling  decisions  is  placed  on  the  receiver  of  the  information. 

o  Institutional  and  cultural  barriers  inhibit  sharing.  The  stove-piped 
structure  of  the  DoD  limits  visibility  and  sharing  of  data  and 
information.  Institutional  structure  and  bureaucratic  incentives  to 
restrict  data  access  are  exacerbated  by  policy  and  guidance  to  protect 
information.  The  result  is  a  strong  conservative  bias  in  labeling  and  a 
reluctance  to  share.  A  lack  of  trust  and  established  relationships  can 
hinder  sharing. 

Options  for  Improving  Data  Sharing 

The  variety  of  identified  problems  may  be  addressed  in  many  ways.  Each  potential 
option  requires  further  analysis  and  investigation.  We  offer  initial  thoughts  to  deal  with  the 
issue  of  access  to  proprietary  data,  as  well  as  the  general  confusion  regarding  policy. 

Options  to  Address  Problem  of  Proprietary  Data  Access 

There  are  several  potential  options  to  resolve  the  problem  of  access  to  proprietary 

data. 


•  The  Under  Secretary  of  Defense  for  Acquisition,  Technology,  and  Logistics 
(USD[AT&L])  could  seek  additional  billets  and  insource  any  functions  that 
require  access  to  proprietary  data.  However,  this  would  require  Office  of 
Personnel  Management  and  congressional  support. 

•  USD(AT&L)  could  seek  relief  through  a  reallocation  of  billets  to  functions  that 
currently  require  access  to  proprietary  information.  This  would  require  cross- 
organizational  prioritization,  a  difficult  process. 

•  General  access  could  be  established  for  all  direct  support  contractors.  This 
would  require  legislative  or  contractual  changes.  Current  legislation,  Title  10 
U.S.  Code,  Section  129d,  allows  litigation  support  contractors  to  view 
proprietary  information.  Similar  legislation  might  be  pursued  for  all  support 
contractors. 

•  Alternatively,  additional  contractual  language  could  be  placed  on  all  DoD 
acquisition  contracts  granting  support  contractors  restricted  access  to  their 
data.  The  direct  support  contractors  who  receive  the  data  would  have  to 
demonstrate  company  firewalls,  training,  personal  agreements,  and  need  to 
know  akin  to  those  for  classified  information. 

•  The  government  could  seek  an  alternative  ruling  on  the  nondisclosure 
requirements,  whereby  blanket  nondisclosure  agreements  could  be  signed 
between  the  government  and  a  direct  support  organization,  or  a  company 
and  a  direct  support  organization  to  cover  multiple  tasks. 

Each  of  these  options  would  require  further  analysis  and  coordination  with  Office  of 
the  General  Counsel  and  Defense  Procurement  and  Acquisition  Policy  (and  Congress  in  the 
first  and  third  options). 
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Options  to  Address  Policy  Confusion 

There  are  also  several  options  to  address  the  confusion  regarding  policy. 

•  OUSD(AT&L)  could  create  and  maintain  a  central,  authoritative  online 
resource  that  references  all  relevant  guidance  on  information  management, 
handling,  access,  and  release  for  acquisition  data.  This  would  require 
identifying  the  relevant  policy  and  posting  new  policies  as  they  become 
available. 

•  However,  an  online  resource  may  not  address  the  issue  of  the  workforce 
having  a  general  lack  of  expertise  and  insight  regarding  the  existing  policy 
and  guidance.  To  cope  with  this  problem,  OUSD(AT&L)  could  also  consider 
providing  additional  training  for  its  staff  on  the  identification  and  protection  of 
data.  This  could  be  an  annual  online  training  for  all  OUSD(AT&L)  staff  and 
contractors. 

•  In  areas  where  conflicting  interpretations  of  guidance  are  particularly 
problematic,  such  as  with  For  Official  Use  Only  (FOUO)  and  proprietary 
information,  additional  guidance  about  how  to  determine  whether  information 
is  FOUO  or  proprietary  in  the  first  place  would  be  helpful.  The  guidance 
should  provide  specific  examples  of  information  that  is  considered  protected, 
guidelines  for  determining  whether  specific  information  qualifies,  and  details 
regarding  handling  procedures  for  this  information,  to  include  access 
privileges. 

•  Directives  and  incentives  could  be  established  so  that  markings  that  appear 
to  be  incorrect  are  challenged  and  not  taken  only  on  a  company  or 
individual’s  claim.  If  more-detailed  determination  guidance  is  available,  it 
could  be  used  to  assess  the  validity  of  a  marking.  A  process  should  be  in 
place  for  challenging  markings,  and  it  should  be  exercised. 

There  are  important  reasons  for  restricting  access  that  require  balancing  control  with 
granting  more  access.  In  information  assurance  and  security  policy,  there  is  an 
understanding  that  no  individual  should  have  unfettered  access  to  all  data.  Given  the 
inherent  complexity  in  securing  data  and  sharing  data,  any  solutions  to  problems  associated 
with  data  sharing  must  be  well  thought  out  to  avoid  the  multitude  of  unintended 
consequences  that  could  arise. 

Phase  2  Findings  and  Recommendations 

Proprietary  Information  (PROPIN) 

PROPIN  is  a  special  class  of  CUI  that  relates  to  information  and  data  developed  by  a 
private  entity  but  shared  with  the  government.  Substantial  confusion  exists  within  the  DoD 
about  what  information  is  truly  proprietary,  who  can  have  access  to  it,  and  how  to  grant 
access  when  needed.  Despite  the  fact  that  some  policies  attempt  to  define  PROPIN  and 
handling  restrictions,  no  single  source  describes  the  processes  and  procedures  for  dealing 
with  this  type  of  information.  Rather,  a  patchwork  of  law,  regulation,  and  policy  govern  it, 
some  of  which  is  clear,  but  some  of  which  is  less  so.  This  hinders  the  DoD’s  use  of 
contractors,  restricts  information  flow,  and  limits  analyses. 

DoD  personnel  are  confused  about  who  can  access  PROPIN.  Information  so 
characterized  generally  can  be  treated  like  all  other  CUI,  meaning  all  government  personnel 
can  be  granted  access  (Treanor,  1999).  This  access  is  enabled  by  virtue  of  the  fact  that  the 
government  has  obtained  the  information  under  a  lawful  requirement.  Further,  federal 
employees  who  improperly  use  PROPIN  can  be  fired  and/or  prosecuted.  In  addition, 
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employees  with  a  security  clearance  sign  a  blanket  nondisclosure  agreement  (NDA) 
between  the  employee  and  the  government.  However,  many  government  personnel  are  not 
familiar  with  this  longstanding  practice  and  are  reluctant  to  share  information  with  other 
government  personnel  because  of  concerns  about  violating  an  unknown  law  or  regulation.  In 
addition,  procedures  for  nongovernment  personnel  to  gain  access  vary  widely.  Federal  law 
(10  U.S.C.  2320)  specifically  addresses  support  contractor  access  to  technical  data 
provided,  but  that  law  does  not  address  nontechnical  proprietary  information  supplied  by 
contractor-originators.  Consequently,  DoD  personnel  often  grapple  with  access  issues 
among  government  and  nongovernment  personnel  because  of  the  lack  of  clear  guidance 
about  who  can  access  what  information — and  what  information  constitutes  PROPIN. 

Ultimately,  the  company  submitting  the  information  to  the  government  is  responsible 
for  asserting  that  certain  portions  are  proprietary,  but  the  government  recipient  is 
responsible  for  determining  whether  to  accept  that  assertion  and  maintaining  the 
“proprietary”  label.2  In  other  words,  if  the  responsible  government  official  determines  the 
information  is  not  proprietary,  the  government  person  is  under  no  obligation  to  go  back  to 
the  company  (originator)  to  disclose  the  information  within  the  government  to  a  support 
contractor.  If  the  government  person  wants  to  publicly  disclose  the  information  in  response 
to  a  FOIA  request,  then  the  government  person  would  have  to  notify  the  company 
(originator).  However,  true  PROPIN  can  only  be  disclosed  within  the  government  to  support 
contractors  (and  now  FFRDC  employees)  when  a  one-to-one  (i.e.,  between  each  individual 
at  the  support  contractor/FFRDC  and  each  company  or  program  originating  data)  NDA  has 
been  executed. 

The  government  distinguishes  between  contractors,  generally,  and  the  special 
contractual  relationship  established  with  federally  funded  research  and  development  centers 
(FFRDCs).3  In  the  past,  the  special  relationship  has  meant  that  FFRDC  personnel  could  be 
granted  access  to  information  directly  by  government  personnel,  or  by  signing  a  single, 
blanket  NDA  between  the  employee  and  the  government,  allowing  them  access  to 
proprietary  information  in  the  course  of  their  government-related  work.  But  federal  law  does 
not  specifically  define  what  an  FFRDC  is  or  how  to  grant  FFRDC  personnel  access  to 
PROPIN.  Nontechnical  PROPIN  is  not  specifically  defined  in  statute,  and  courts  have  stated 
that  what  is  truly  proprietary  is  determined  on  a  case-by-case  basis  under  FOIA  Exemption 
4.  Generally,  the  disclosure  of  the  information  must  present  the  potential  for  a  company’s 


2  This  statement  is  based  on  the  researchers’  understanding  of  current  practices. 

3  FFRDCs  have  a  unique  relationship  with  the  government  because  they  have  access  beyond  that 
which  is  common  to  the  normal  contractual  relationship.  They  are  free  from  organizational  conflicts  of 
interest.  Also,  it  is  not  the  government’s  intent  that  an  FFRDC  use  its  privileged  information  or  access 
to  installations  equipment  and  real  property  to  compete  with  the  private  sector.  Finally,  FFRDCs  are 
meant  to  be  independent  research  institutions  characterized  by  objectivity.  According  to  48  C.F.R. 
35.017  (a.k.a.  FAR  35.017),  “An  FFRDC,  in  order  to  discharge  its  responsibilities  to  the  sponsoring 
agency,  has  access,  beyond  that  which  is  common  to  the  normal  contractual  relationship,  to 
Government  and  supplier  data,  including  sensitive  and  proprietary  data,  and  to  employees  and 
installations  equipment  and  real  property.  The  FFRDC  is  required  to  conduct  its  business  in  a  manner 
befitting  its  special  relationship  with  the  Government,  to  operate  in  the  public  interest  with  objectivity 
and  independence,  to  be  free  from  organizational  conflicts  of  interest,  and  to  have  full  disclosure  of  its 
affairs  to  the  sponsoring  agency.  It  is  not  the  Government's  intent  that  an  FFRDC  use  its  privileged 
information  or  access  to  installations  equipment  and  real  property  to  compete  with  the  private  sector.” 
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competitive  position  to  be  injured  by  a  competing  company  (Department  of  Justice,  2009,  p. 
305). 

Recent  DoD  interpretations  of  policy  and  statute — specifically  the  Trade  Secrets  Act 
(18  U.S.C.  1905) — have  changed  how  FFRDCs  are  treated  with  respect  to  NDAs,  resulting 
in  an  inefficient  and  ineffective  process  of  securing  them.  Specifically,  FFRDCs  are  now 
required  to  obtain  an  NDA  between  each  contractor-originator  of  data  in  a  system  and  each 
FFRDC  employee  who  needs  access — referred  to  in  this  report  as  “one-to-one”  NDAs. 
Previously,  FFRDC  employees  could  sign  a  single,  blanket  NDA  with  the  DoD  to  enable 
access  to  all  needed  information. 

The  RAND  Corporation  operates  three  FFRDCs:  Project  AIR  FORCE,  the  Arroyo 
Research  Center,  and  the  National  Defense  Research  Institute.  Therefore,  we  have  an 
interest  in  FFRDC  access  to  data.  We  believe  that  our  results  are  valid  independent  of  that 
interest,  and  we  have  firsthand  experience  with  the  struggles  of  DoD  personnel  managing 
data  and  access. 

Commonly  Used  CUI  Data  Markings 

The  current  set  of  CUI  labels  and  guidance  states  that  only  information  which 
requires  protection  by  Federal  Regulation  or  government-wide  policy  can  be  considered 
CUI.  In  other  words,  a  marking  that  does  not  originate  from  a  protection  established  by  law 
or  government-wide  policy  should  not  be  employed.  We  identified  nine  data  labels 
commonly  used  to  indicate  that  the  information  contained  in  a  document  or  database 
requires  some  type  of  special  handling  or  restriction.  Those  nine  labels  are 

•  Business  Sensitive 

•  Competition  Sensitive 

•  For  Official  Use  Only 

•  Pre-Decisional 

•  Proprietary 

•  Source  Selection  Sensitive 

•  Technical  Distribution  Statements 

•  DoD  Only 

•  Government  Only 

Some  of  these  labels  are  governed  by  well-established  policies  that  reflect  current 
understanding  of  the  law  and  regulatory  environment  for  data  protection  and  data  sharing. 
Others  are  legacy  markings  and  practices  that  were  not  aligned  with  draft  CUI  policy  at  the 
time  this  report  was  written.  We  were  unable  to  find  any  single  document  collecting  and 
describing  all  these  labels;  the  lack  of  a  single  such  document  contributes  to  the  general 
confusion  surrounding  them.  It  is  difficult  for  government  personnel  to  know  how  data  can  be 
shared.  A  result  of  this  situation  is  the  likely  over-labeling  and  mislabeling  of  CUI  material. 
Although  we  found  that  many  of  the  most  commonly  used  CUI  labels  do  have  a  basis  in  law 
or  policy,  labels  may  not  be  understood  in  practice,  used  properly,  or  have  clear  handling 
procedures. 

Consequently,  data  may  not  be  used  to  inform,  improve,  and  strengthen  the  DoD’s 
acquisition  functions.  Bottlenecks,  risk  aversion,  and  fear  of  releasing  otherwise  protected 
data  can  restrict  legitimate  access  and  data  sharing,  both  within  the  government  and 
between  the  government  and  select  partners.  While  the  National  CUI  program  being 
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established  by  the  National  Archives  will  help  provide  much-needed  clarifications,  it  is 
unclear  when  this  program  will  be  finalized  within  the  DoD. 

Implications  of  DoD  Security  Policies  for  Two  OUSD(AT&L)  Acquisition  Data 
Information  Systems 

Information  security  policies  directly  affect  the  access  and  utility  of  acquisition 
databases.  The  current  information  security  environment  does  not  establish  a  consistent 
framework  for  managing  information  systems.  This  makes  it  difficult  for  government 
employees  to  know  how  to  comply  with  regulations;  find  funds  and  the  technical  capabilities 
to  implement  new  policies;  develop  ways  to  evaluate  costs  and  benefits  of  new  policies  and 
determine  exceptions;  and  know  how  to  identify,  mark,  and  protect  CUI.  The  impact  of  these 
challenges  is  a  potential  delay  in  accessing  acquisition  data  by  both  government  and 
nongovernment  employees,  which  in  turn  may  result  in  lower  quality  analyses  or  decisions 
based  on  incomplete  information. 

We  used  the  Acquisition  Information  Repository  (AIR)  and  Defense  Acquisition 
Management  Information  Retrieval  (DAMIR)  OUSD(AT&L)  acquisition  data  information 
systems  as  case  studies  to  examine  the  implications  of  implementing  security  policies.  AIR 
provides  one  central  location  for  all  Major  Defense  Acquisition  Program  (MDAP)  and  Major 
Automated  Information  System  (MAIS)  acquisition  documents  to  support  oversight  and 
decision-making.4  DAMIR  fulfills  several  key  functions,  including  reporting,  storage,  quality 
assurance,  analysis,  oversight,  and  tracking  cost,  schedule,  and  performance  of  major 
acquisition  programs.5  AIR  largely  represents  the  unstructured  data  problem,  while  DAMIR 
represents  the  challenges  associated  with  structured  data  that  both  pull  from  and  feed  into 
other  information  systems. 

A  multitude  of  security  policies  affect  management  and  operation  of  these  systems. 
We  identified  about  two  dozen  executive  orders,  laws,  directives,  instructions,  operating 
guides,  and  other  policies  that  affect  AIR  and  DAMIR,  some  of  which  cover  similar  material. 
The  AIR  information  managers  have  created  a  set  of  business  rules  based  on  their 
interpretation  of  those  policies.  For  instance,  according  to  DoD  (2012)  Manual  5200.01, 
volume  4,  “The  [government]  originator  of  a  document  is  responsible  for  determining  at 
origination  whether  the  information  may  qualify  for  CUI  status,  and  if  so,  for  applying  the 
appropriate  CUI  markings”  (p.  9).  The  information  managers  for  AIR  have  interpreted  this 
policy  guidance  from  USD(I)  to  mean  that  the  originators  of  the  information  being  uploaded 
to  AIR  (e.g.,  the  services  and  other  OSD  offices)  are  responsible  for  appropriately  marking 
the  information  in  AIR  even  though  the  AIR  managers  have  noticed  some  inconsistency  in 
the  marking  of  the  documents  across  documents  types.  The  AIR  managers  attribute  this 
inconsistency  to  the  variety  of  security  classification  guides  being  used  to  mark  documents 
by  the  originators.  Also,  there  is  no  process  for  ensuring  that  up-to-date  marking 
conventions  are  followed  for  each  document  uploaded  to  AIR.  Management  and  use  of  AIR 


4  AIR  is  a  document  repository  that  contains  specific  program  documents  (reports,  certifications)  used 
to  inform  acquisition  decision-making  and  oversight. 

5  DAMIR  has  both  unclassified  and  classified  versions.  It  supports  the  generation,  distribution,  and 
archiving  of  Selected  Acquisition  Reports  (SARs)  as  well  as  information  supporting  the  Defense 
Executive  Acquisition  System  (DAES)  process.  It  also  includes  higher-level  earned  value 
management  data.  Unlike  AIR,  DAMIR  is  structured  data  that  users  can  combine  and  analyze  in 
multiple  ways  serving  multiple  functions. 
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are  complicated  by  the  need  to  access  it  on  an  IT  system  approved  through  Defense 
Security  Service  inspection,  use  a  .mil  e-mail  address  associated  with  a  Common  Access 
Card  (CAC),  and  have  approval  through  a  government  sponsor,  who  provides  the  rationale 
for  granting  a  user  access  to  AIR  for  a  specific  purpose.  In  addition,  the  permissions  process 
is  separate  from  the  sensitivity  of  documents  stored  in  AIR. 

DAMIR  is  hosted  by  the  Joint  Service  Provider,  which  only  partially  resides  within  the 
OUSD  (AT&L).  External  hosting  separates  operational  and  security  management  and 
creates  the  possibility  of  a  disconnect  between  the  business  case  for  data  use  and  security 
policies.  In  other  words,  the  cost  of  the  security  may  be  high  while  the  perceived  benefits 
may  be  low.  Understanding  the  business  case  (or  use)  for  DAMIR  is  critical  to  maintaining 
security  without  unduly  limiting  the  utility  of  the  system  for  users.  Security  policies  also  inhibit 
system  improvement,  which  requires  code  changes  and  upgrades.  A  recent  determination 
that  real  data  cannot  be  used  for  testing  required  additional  programming  work  to  invent 
data  to  test  the  system.  The  lack  of  actual  data  for  testing  makes  determining  whether  a  new 
database  capability  will  ultimately  work  a  speculative  exercise. 

Several  years  ago  a  security  policy  requiring  accounts  that  have  not  been  used  in  a 
30-day  period  to  be  disabled  significantly  affected  DAMIR.  Many  DAMIR  users,  including 
congressional  staff  and  FFRDC  analysts,  log  in  infrequently  (i.e.,  when  new  SAR  or  DAES 
reports  come  out)  rather  than  routinely.  The  policy  resulted  in  the  suspension  of  accounts, 
which  meant  the  DAMIR  team  had  to  re-register  about  30%  of  4,000  active  user  accounts 
initially  after  the  policy  was  enforced.  The  DAMIR  team  continued  to  have  significant 
problems  for  several  months  in  re-activating  inactive  accounts. 

Implementing  new  policies  within  DAMIR  (which  has  more  than  1.5  million  lines  of 
code)  is  also  challenging.  DAMIR  was  stood-up  under  different  security-related  policies,  and 
adapting  its  structure,  programming,  and  business  rules  to  accommodate  new  policies 
entails  substantial  effort.  Furthermore,  there  is  no  up-to-date  security  architecture  document 
because  architecture  and  security  policy  governing  DAMIR  have  evolved  independently. 
Similarly,  new  interpretations  of  existing  policies  have  consequences.  For  example,  a  new 
interpretation6  of  what  potentially  constitutes  personally  identifiable  information  (Pll)  caused 
the  DAMIR  management  team  to  conduct  a  formal  assessment  of  how  individual  privacy  is 
being  addressed  in  DAMIR  due  to  the  potential  existence  of  Pll  in  DAMIR. 

CUI  Marking  and  the  Security  Policy  Environment 

Overall,  the  current  environment  in  which  acquisition  data  are  protected  and  shared 
can  be  characterized  by  many  organizations  promulgating  policy  on  overlapping  and 
interrelated  topics,  policies  that  are  relatively  new  and  change  frequently,  and  an  ill-defined 
CUI  policy.  Furthermore,  security  policies  tend  to  be  one-size-fits-all,  which  does  not  reflect 
the  unique  characteristics  of  each  system.  Those  who  originate  the  policies  do  not  fund  their 
implementation,  meaning  that  a  new  or  changed  policy  is  effectively  an  unfunded 
requirement  for  system  managers.  This  situation  creates  a  number  of  issues  for  information 
system  managers.  First,  it  is  difficult  to  know  exactly  what  is  required  to  comply  with  the 


6  The  interpretation  was  based  on  the  reissue  of  DoD  Directive  (DoDD)  5400.1 1  that  updated  the 
established  policies  and  assigned  responsibilities  of  the  DoD  Privacy  Program  pursuant  to  section 
552a  of  Title  5,  U.S.C.  (also  known  and  referred  to  in  this  directive  as  “The  Privacy  Act”  and  Office  of 
Management  and  Budget  [OMB]  Circular  No.  A-130). 
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numerous  applicable  policies.  Second,  managers  have  to  find  the  funds  to  comply  when 
policies  change.  Third,  considerable  confusion  surrounds  the  identification  and  marking  of 
CUI.  This  environment,  which  is  causing  a  lot  of  inefficiency  and  many  workarounds  to  solve 
problems,  creates  a  managerial  problem  for  the  OUSD(AT&L). 

The  overall  effect  of  these  problems  almost  certainly  has  a  cost,  though  this  cost  is 
difficult  to  quantify.  Government  and  nongovernment  users  of  both  DAMIR  and  AIR  may,  for 
example,  simply  seek  to  conduct  analyses  with  other,  less  insightful  data,  or  without  data  at 
all.  No  system,  however,  tracks  the  effects  or  costs  of  DAMIR  and  AIR  (or  any  other 
information  system)  compliance  with  security  policy.  The  cumulative  effects  of  security  policy 
requirements  may  exceed  what  is  currently  documented  in  the  management  of  these  two 
acquisition  information  systems.  In  other  words,  the  effect  of  compliance  actions  on  other 
information  systems  and  user  behavior  can  have  a  cascading  effect;  the  problem  is  likely 
much  larger  than  what  has  been  documented  here. 

What  the  DoD  Can  Do  to  Improve  the  Situation 
Proprietary  Data 

We  suggest7  that  the  Federal  Acquisition  Regulation  (FAR)  FFRDC  provisions  could 
be  used  as  a  basis  for  a  DoD  decision  that  FFRDCs  are  exempt  from  the  relatively  new  one- 
to-one  NDA  requirement  created  by  a  change  in  DoD  interpretation  of  the  Trade  Secrets 
Act,  or  could  be  covered  by  a  single,  blanket  NDA  with  the  DoD.8  Office  of  Federal 
Procurement  Policy  staff  suggested  in  a  meeting  with  the  authors  of  this  report  that  the  DoD 
Office  of  the  General  Counsel  (OGC)  was  taking  an  overly  restrictive  view  of  the  FAR 
FFRDC  provisions.  For  non-FFRDC  contractors,  we  also  recommend  that  the  DoD  consider 
the  following: 

•  Creating  a  DFARS  provision  that  would  cover  nontechnical  data,9  possibly 
with  a  blanket  NDA  requirement 

•  Proposing  a  new  legislative  provision  covering  all  nongovernment  personnel 
similar  to  10  U.S.C.  129d,  which  allows  litigation  support  contractors  access 
to  “commercial,  financial,  or  proprietary  information”  without  a  nondisclosure 
agreement 

•  Proposing  a  legislative  amendment  to  10  U.S.C.  2320,  which  allows  access 
to  technical  data  for  providing  advice  or  technical  assistance  to  the 
government,  that  would  include  financial  and  management  data 

Regulatory  and  legislative  changes  both  carry  drawbacks.  The  DoD  can  propose 
changes  to  the  DFARS  without  congressional  action  and  presidential  approval,  but  changing 


7  Our  recommendations  are  designed  to  increase  access  to  sensitive  data  for  analysis.  As  a  party  that 
has  long  analyzed  such  data,  organizations  such  as  RAND  (an  FFRDC)  would,  of  course,  benefit 
from  such  actions,  and  we  understand  readers  may  view  our  recommendations  accordingly. 
Regardless,  we  trust  our  research  can  advance  broader  discussion  of  how  the  DoD  can  improve 
oversight  of  its  acquisition  programs. 

8  A  blanket  NDA  would  be  an  NDA  between  an  organization  and  another  organization,  versus  the 
current  requirement  of  a  one-to-one  NDA  between  an  individual  and  a  contractor-originator  of  data. 

9  As  noted  above,  10  U.S.C.  2320  specifically  addresses  technical  data,  so  we  are  only  discussing 
nontechnical  data. 
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the  DFARS  might  not  adequately  include  previous  PROPIN  designations  because  a  new 
clause  would  only  affect  contractors  who  presently  have  active  DoD  contracts.  Changing  the 
law  is  even  more  problematic  because  it  requires  congressional  action  and  presidential 
approval,  takes  approximately  two  or  more  years,  and  may  not  even  result  in  a  change  or 
could  result  in  unwanted  changes. 

CUI  Markings  and  Labels 

A  more  robust,  central  program  for  CUI  data  labeling,  access,  and  management 
(including  monitoring  and  challenging  document  originators)  may  help  facilitate  a  smoother 
sharing  and  protection  of  CUI  within  the  DoD.  The  DoD  should  also  train  its  workforce  on  the 
new  CUI  labeling  procedures  when  they  are  released  and  implemented  by  the  DoD.  Given 
that  no  central  reference,  institutional  structure,  or  authority  exists  for  defining  and 
establishing  proper  handling  procedures  for  CUI,  we  recommend  that  a  function  and 
reference  be  established  within  the  OUSD(AT&L)  for  both  technical  and  nontechnical 
acquisition  data. 

Security  Policy 

The  problem  that  needs  to  be  solved  with  respect  to  security  policy  is  the  clear 
mismatch  of  responsibility,  authority,  and  accountability  among  the  organizations  that  issue 
security  policy  and  manage  or  host  the  information  systems.  We  offer  several 
recommendations  oriented  at  addressing  this  problem. 

First,  we  suggest  using  existing  information  requirements  to  document  how  security 
policies  are  affecting  the  management  of  information  systems.  While  there  are  many 
anecdotes  about  difficulties  in  implementing  security  policy  for  AIR  and  DAMIR,  these  are 
not  documented  in  a  central  location  or  updated  over  time.  By  documenting  difficulties, 
including  resources  used  to  implement  various  policies,  the  OUSD(AT&L)  would  better 
understand  how  security  policies  are  affecting  their  systems  and  whether  a  better  balance 
between  security  and  business  cases10  is  being  achieved. 

Second,  we  suggest  that  a  function  be  established  within  the  OUSD(AT&L)  to  review 
information  security  policies,  de-conflict  them,  reduce  duplication,  ensure  consistency,  and 
identify  gaps  for  all  acquisition  data  collected  and  used  within  the  OUSD(AT&L).  This 
function  would  be  responsible  for  communicating  with  the  OUSD(AT&L)  information-system 
managers  in  order  to  have  a  greater  understanding  of  the  inefficiencies  in  implementing 
security  policy.  This  function  (or  working  group)  should  include  all  relevant  stakeholders  so 
as  represent  both  security  and  mission  perspectives. 

Third,  a  single  individual  should  be  designated  with  responsibility  for  implementing 
security  strategy  for  a  given  information  system.  This  individual,  the  AO,  could  work  with  the 
policy  originator  to  ensure  appropriate  interpretation  and  application  of  policy.  For  the 
OUSD(AT&L)  information  systems,  we  believe  that  the  AO  should  be  selected  based  on 
knowledge  of  the  mission  area  (i.e.,  a  subject  matter  expert).  The  goal  is  to  have  someone 


10  Enterprise  Information  within  OUSD(AT&L)/ARA  is  responsible  for  “providing  leadership  timely 
access  to  accurate,  authoritative  and  reliable  data  supporting  acquisition  oversight,  analysis,  and 
decision-making.”  El  needs  to  fulfill  its  mission  with  limited  resources,  so  it  must  balance  the  business 
case  for  adding  new  capability  to  its  information  systems  (DAMIR  and  AIR)  with  what  is  being 
mandated  for  it  to  implement  for  adequate  security  of  its  information  systems. 
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who  is  familiar  with  the  business  case  for  a  system  to  be  more  involved  in  the  daily 
operations  of  that  system  and  to  track  security  policy  changes  and  implementation. 

Fourth,  the  requirement  that  each  information  system  have  and  maintain  a  security 
strategy  should  be  used  as  an  opportunity  to  ensure  an  appropriate  balance  between 
security  risk,  business  case,  and  the  use  case11  for  each  information  system.  The  security 
strategy  should  be  updated  as  policies,  threats,  or  system  use  change,  providing  a 
consistent  framework  over  time  to  evaluate  the  balance  between  risk  and  utility. 

Finally,  implementation  of  security  policy  should  be  appropriately  resourced.  The 
issuing  organization  should  assess  required  resources  as  part  of  policy  design,  and  provide 
at  least  some  funding  to  address  needed  technical  changes  to  the  information  systems. 
Similarly,  the  organizations  managing  information  systems  should  identify  resources  to 
address  implementation  of  security  policy  as  part  of  the  security  strategy  it  maintains. 
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Acquisition  Data  Access  Issues  Need  AT &L 

Ownership  and  Resolution 


•  Government,  FFRDCs,  and  direct  support 
contractors  may  lack  access  to  acquisition  data  and 
information  needed  for  their  roles  in  acquisition 

-  Prime  contractors  provide  acquisition  data, 
specifically  controlled  unclassified  information 
(CUI),  to  the  government 

-  Government  wants  these  data  available  for 
analysis  to  help  decision  making 

*  Lack  of  acquisition  data  can  lead  to 

-  Worse  decisions 

-  Duplicated  efforts 

-  Loss  of  productivity 
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OUSD(AT&L)/ARA,  PARC  A,  and  OSD  CAPE 
Asked  RAND  to  Define  Challenges  and  Options 


ISSUES  WITH 

Access  to  Acquisition  Data 
and  Information 


IN  THE  DEPARTMENT  OF  DEFENSE 


•  Phase  1  research 

-  Identify  and  describe  acquisition  data 
sharing  problems  and  evaluate  data 
sharing  policy 

-  Research  featured  structured 
discussions  with  67  acquisition 
professionals  from  18  separate  offices 

*  Phase  2  goes  deeper  into  several 
specific  issues 

-  Evaluate  how  marking/labeling 
Controlled  Unclassified  Information 
(CUI)  procedures,  practices,  and 
security  policy  affect  needed  access 
to  acquisition  oversight  data 

-  Conducted  structured  discussions 
with  information  managers;  analyzed 
origins  of  commonly-used  acquisition 
data  markings 
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Many  Interviewees  Described  Inefficient  Data 

Access  Processes 


_ GOVERNMENT^ _ 

“Each  account  I  create  is  like  5  touch 
points  between  an  email,  phone  call, 
their  POC,  certificate  handling, 
vetting.  It’s  a  lot  of  work.  ” 


_ FFRDC _ 

“I  couldn’t  get  access  because  I 
didn’t  have  a  .mil  e-mail  address, 
so  I  had  to  go  to  the  Pentagon  to 
access  the  data." 


GOVERNMENT  FOR  FFRDC  AND  DIRECT  SUPPORT  CONTRACTOR 

“If  there  are  dozens  of  support  contractors  and  dozens  of  prime 
contractors  and  I  have  to  get  an  NDA  for  each  support  contractor  and 
prime  contractor  combination,  it’s  a  lot  of  work.  ” 


GOVERNMENT  ON  BEHALF  OF  FFRDC 

“The  sponsor  has  to  have  access  to  the 
central  repository,  then  request  a 
download  of  several  documents  I  need, 
then  transfer  the  data  to  me.” 


GOVERNMENT 

“It  took  me  three  months,  multiple 
e-mails  and  phone  calls,  to  get  a 
one  hour  meeting  with  five  SESs 
to  view  data  that  *might*  be 
proprietary.” 
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Overall,  We  Found  that  DoD  Struggles  With  a 
Variety  of  Data  Access  Challenges 


•  Third  parties  (e.g.,  FFRDCs)  must  establish 
multiple  agreements  to  view  some  data 


*  Data  access  policy  is  highly  decentralized,  not 
well  known,  and  subject  to  a  wide  range  of 
interpretation 


*  Marking  criteria  are  not  always  clear  or  consistent 


rssxA  *  Institutional  and  cultural  barriers  exacerbate  data 
I  sharing  issues — even  within  the  government 
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Government  and  Contractors  Rely  Upon 
Access  to  Proprietary  Data 


Prime  contractors  provide  data  on  their  programs  . . . 
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Government  and  Contractors  Rely  Upon 
Access  to  Proprietary  Data 


...  to  DoD  and  its  support  contractors . . . 
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Government  and  Contractors  Rely  Upon 
Access  to  Proprietary  Data 


. . .  who  make  data  available  to  users . . . 
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Government  and  Contractors  Rely  Upon 
Access  to  Proprietary  Data 


. . .  but  users  must  have  NDAs  with  each  program 
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RAND  Identified  Possible  Options  to  Improve 

Access  to  PRO  PIN 


FAR  35.017  could  be  used  to  grant  FFRDC  staff  access  to  all 

J  relevant  information 

-  Improves  quality  of  analytic  support  to  DoD 

-  Initial  contact  with  FAR  Council  staff  indicated  DoD 
interpretation  is  different  from  other  USG  agencies 

*  Relieves  administrative  burden  of  dealing  with  large  number  of 
non-disclosure  agreements  (NDAs) 

-  Right  now,  ~100  NDAs  for  each  person 

*  Could  consider  focused  changes  to  regulations  and/or  law  to 
handle  for-profit  contractor  PROPIN  access 

-  Law  already  addresses  contractors  supporting  litigation  and 
contractor  access  to  “technical  data” 

-  May  be  possible  to  change  contracts  and  require 
one-to-many  NDA,  instead  of  one-to-one  NDA 
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DoD  Pursuing  Legal  Change  to  Ease  Access 

to  Acquisition  Data 


*  Discussions  with  AT&L  and  OGC  revealed 

-  Legal  interpretation  limits  options 

-  AT&L  staff  considered  2  options  for  FY17 

•  1  for  FFRDCs;  1  for  support  contractors 

*  Final  AT&L  legislative  proposal  would  create  new 
provision  specifically  for  FFRDCs 

-  Addresses  PROPIN  and  other  sensitive  info 

*  Changing  law  does  not  solve  the  problem  in  the 
short  term  but  other  options  may  provide  relief 

Conclusion:  AT&L  will  continue  to  struggle  with  the 

inefficiencies  of  NDAs 


RAND 


Approved  for  public  release;  distribution  is  unlimited. 


OUSD(AT&L)/ARA  Data  Studies  11 


Another  Complication:  Many  Offices  Issue  DoD  Data 
Management,  Access,  Release,  &  Handling  Policy 
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Leads  to  policy  decentralization,  inconsistency,  and  workforce  confusion 
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Law,  Regulation,  and  Policy  Governing  Access 
and  Management  of  Data  Are  Not  Well  Known 


General  discussions  regarding  policy 
and  data  sharing  indicate  clarification  is 
needed  in  multiple  areas: 


•  What  constitutes  legitimate  rationale  for 
gaining  access  to  data? 

•  Who  is  responsible  for  removing  the 
caveats  when  something  is  no  longer 
source  sensitive  or  classified? 

•  Who  can  correct  a  label  on  a  document 
that  is  clearly  wrong? 

•  What  determines  “need  to  know?” 

•  What  determines  “Government  only?” 

•  Do  we  have  a  policy  that  access  to  data 
should  be  written  into  all  contracts? 

•  Is  there  policy/guidance  which  dictates 
where  information  can  flow? 


More  specific  discussions  covered 
PROPIN,  FOUO,  and  contractor  roles: 


•  What  can  be  considered  PROPIN? 

•  Who  can  determine  if  something  is 
PROPIN? 

•  What  is  the  policy  for  releasing  PROPIN? 

•  What  constitutes  FOUO? 

•  Is  there  guidance  on  FOUO  sharing? 

•  How  can  FOUO  be  remarked? 

•  Can  FFRDCs  and  UARCs  be  considered 
direct  support/direct  report? 

•  Is  there  a  policy  for  granting  FFRDCs 
Special  Access  Permissions? 

•  Is  there  any  clarifying  guidance  on  how 
to  work  with  FFRDCs? 
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Determining  Information  Protection  (Marking) 
Plays  a  Significant  Role  In  Access 


*  Policy  owner’s/creator’s  responsibility  to  mark 
and  grant  access  to  data 

*  However,  marking  criteria  are  not  always  clear 
nor  consistently  applied,  which  can  lead  to 

-  Incorrect  markings  at  the  individual  level 

-  Decisions  favoring  protection  rather  than 
sharing  data,  given  many  disincentives  but 
few  incentives  to  sharing  data 

*  Most  commonly  used  CUI  labels  have  a  basis  in 
law  or  policy,  but  method  to  protect  and  control 
access  is  not  always  defined 
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Additional  Issues  Regarding  Marking  Data 


Difficult  to  change  improperly  marked  information 

-  Offices  and  individuals  change  over  time 

-  If  originator  is  not  available,  others  may  not 
accept  responsibility  of  re-marking 

No  alternative  process  for  challenging  markings 

-  Only  real  forcing  functions  to  challenge  a  label 
are  external  FOIA  requests 

When  information  is  not  marked,  the  burden  of 
handling  decisions  is  placed  on  the  receiver 

Reliance  upon  past  practices  to  determine  data 
management  and  handling  procedures 
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DoD’s  Institutional  Structure  and  Culture 
Exacerbate  Access  Challenges 


*  Stovepipe  structure  limits  data  visibility  across  DoD 
and  ability  to  conduct  cross-cutting  analyses 

*  Policies  are  created  by  organizations  with  different 
missions  and  business  needs  than  those 
interpreting  and  implementing  them 

*  Lack  of  trust  and  established  relationships  hinders 
access;  in  established  relationships,  data  flows 
more  freely 

*  Our  discussions  found  organizational  leaders  do  not 
always  promote  sharing  between  or  within 
organizations 
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USD(A  T&L)  and  CAPE  Should  Provide 
Guidance  and  Training  on  CUI 


*  Develop  guidance  on  how  to  determine  whether 
information  is  proprietary 

*  Create  and  maintain  central,  authoritative  online 
resource  that  references  all  relevant  guidance 

*  Add  a  CUI  data  identification  and  protection 
module  to  the  annual  IT  online  training  for  AT&L 
staff  and  contractors 

*  Improve,  develop,  and  use  mechanisms  for 
challenging  labels 

Continue  to  lead  efforts  to  improve  data  sharing 

■  o  \  H 


RAND 


Approved  for  public  release;  distribution  is  unlimited. 


OUSD(AT&L)/ARA  Data  Studies  18 


USD(AT&L)  Should  Formalize  a  Data 
Management  Function 


•  Responsibilities  should  include: 

-  representing  AT&L  interests  for  acquisition 
data  in  DoD  forums 

-  managing  data  policy  and  data  issues  for 
AT&L 

-  categorizing  acquisition  data  into  CUI 
categories 

-  exploring  additional  options  to  resolve 
proprietary  data  access  challenges 


Acquisition  data  access  issues  need  AT&L 
ownership  and  resolution 
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